主要是參考「Cryptographic Right Answers」這篇給的建議： Password handling: As soon as you receive a password, hash it using scrypt or PBKDF2 and erase the plaintext password from memory. Do NOT store users' passwords. Do NOT hash them with MD5. Use a real key … Continue reading →